1*4882a593Smuzhiyun // SPDX-License-Identifier: GPL-2.0
2*4882a593Smuzhiyun /*
3*4882a593Smuzhiyun * This is for all the tests related to validating kernel memory
4*4882a593Smuzhiyun * permissions: non-executable regions, non-writable regions, and
5*4882a593Smuzhiyun * even non-readable regions.
6*4882a593Smuzhiyun */
7*4882a593Smuzhiyun #include "lkdtm.h"
8*4882a593Smuzhiyun #include <linux/slab.h>
9*4882a593Smuzhiyun #include <linux/vmalloc.h>
10*4882a593Smuzhiyun #include <linux/mman.h>
11*4882a593Smuzhiyun #include <linux/uaccess.h>
12*4882a593Smuzhiyun #include <asm/cacheflush.h>
13*4882a593Smuzhiyun
14*4882a593Smuzhiyun /* Whether or not to fill the target memory area with do_nothing(). */
15*4882a593Smuzhiyun #define CODE_WRITE true
16*4882a593Smuzhiyun #define CODE_AS_IS false
17*4882a593Smuzhiyun
18*4882a593Smuzhiyun /* How many bytes to copy to be sure we've copied enough of do_nothing(). */
19*4882a593Smuzhiyun #define EXEC_SIZE 64
20*4882a593Smuzhiyun
21*4882a593Smuzhiyun /* This is non-const, so it will end up in the .data section. */
22*4882a593Smuzhiyun static u8 data_area[EXEC_SIZE];
23*4882a593Smuzhiyun
24*4882a593Smuzhiyun /* This is cost, so it will end up in the .rodata section. */
25*4882a593Smuzhiyun static const unsigned long rodata = 0xAA55AA55;
26*4882a593Smuzhiyun
27*4882a593Smuzhiyun /* This is marked __ro_after_init, so it should ultimately be .rodata. */
28*4882a593Smuzhiyun static unsigned long ro_after_init __ro_after_init = 0x55AA5500;
29*4882a593Smuzhiyun
30*4882a593Smuzhiyun /*
31*4882a593Smuzhiyun * This just returns to the caller. It is designed to be copied into
32*4882a593Smuzhiyun * non-executable memory regions.
33*4882a593Smuzhiyun */
do_nothing(void)34*4882a593Smuzhiyun static void do_nothing(void)
35*4882a593Smuzhiyun {
36*4882a593Smuzhiyun return;
37*4882a593Smuzhiyun }
38*4882a593Smuzhiyun
39*4882a593Smuzhiyun /* Must immediately follow do_nothing for size calculuations to work out. */
do_overwritten(void)40*4882a593Smuzhiyun static void do_overwritten(void)
41*4882a593Smuzhiyun {
42*4882a593Smuzhiyun pr_info("do_overwritten wasn't overwritten!\n");
43*4882a593Smuzhiyun return;
44*4882a593Smuzhiyun }
45*4882a593Smuzhiyun
execute_location(void * dst,bool write)46*4882a593Smuzhiyun static noinline void execute_location(void *dst, bool write)
47*4882a593Smuzhiyun {
48*4882a593Smuzhiyun void (*func)(void) = dst;
49*4882a593Smuzhiyun
50*4882a593Smuzhiyun pr_info("attempting ok execution at %px\n", do_nothing);
51*4882a593Smuzhiyun do_nothing();
52*4882a593Smuzhiyun
53*4882a593Smuzhiyun if (write == CODE_WRITE) {
54*4882a593Smuzhiyun memcpy(dst, do_nothing, EXEC_SIZE);
55*4882a593Smuzhiyun flush_icache_range((unsigned long)dst,
56*4882a593Smuzhiyun (unsigned long)dst + EXEC_SIZE);
57*4882a593Smuzhiyun }
58*4882a593Smuzhiyun pr_info("attempting bad execution at %px\n", func);
59*4882a593Smuzhiyun func();
60*4882a593Smuzhiyun pr_err("FAIL: func returned\n");
61*4882a593Smuzhiyun }
62*4882a593Smuzhiyun
execute_user_location(void * dst)63*4882a593Smuzhiyun static void execute_user_location(void *dst)
64*4882a593Smuzhiyun {
65*4882a593Smuzhiyun int copied;
66*4882a593Smuzhiyun
67*4882a593Smuzhiyun /* Intentionally crossing kernel/user memory boundary. */
68*4882a593Smuzhiyun void (*func)(void) = dst;
69*4882a593Smuzhiyun
70*4882a593Smuzhiyun pr_info("attempting ok execution at %px\n", do_nothing);
71*4882a593Smuzhiyun do_nothing();
72*4882a593Smuzhiyun
73*4882a593Smuzhiyun copied = access_process_vm(current, (unsigned long)dst, do_nothing,
74*4882a593Smuzhiyun EXEC_SIZE, FOLL_WRITE);
75*4882a593Smuzhiyun if (copied < EXEC_SIZE)
76*4882a593Smuzhiyun return;
77*4882a593Smuzhiyun pr_info("attempting bad execution at %px\n", func);
78*4882a593Smuzhiyun func();
79*4882a593Smuzhiyun pr_err("FAIL: func returned\n");
80*4882a593Smuzhiyun }
81*4882a593Smuzhiyun
lkdtm_WRITE_RO(void)82*4882a593Smuzhiyun void lkdtm_WRITE_RO(void)
83*4882a593Smuzhiyun {
84*4882a593Smuzhiyun /* Explicitly cast away "const" for the test and make volatile. */
85*4882a593Smuzhiyun volatile unsigned long *ptr = (unsigned long *)&rodata;
86*4882a593Smuzhiyun
87*4882a593Smuzhiyun pr_info("attempting bad rodata write at %px\n", ptr);
88*4882a593Smuzhiyun *ptr ^= 0xabcd1234;
89*4882a593Smuzhiyun pr_err("FAIL: survived bad write\n");
90*4882a593Smuzhiyun }
91*4882a593Smuzhiyun
lkdtm_WRITE_RO_AFTER_INIT(void)92*4882a593Smuzhiyun void lkdtm_WRITE_RO_AFTER_INIT(void)
93*4882a593Smuzhiyun {
94*4882a593Smuzhiyun volatile unsigned long *ptr = &ro_after_init;
95*4882a593Smuzhiyun
96*4882a593Smuzhiyun /*
97*4882a593Smuzhiyun * Verify we were written to during init. Since an Oops
98*4882a593Smuzhiyun * is considered a "success", a failure is to just skip the
99*4882a593Smuzhiyun * real test.
100*4882a593Smuzhiyun */
101*4882a593Smuzhiyun if ((*ptr & 0xAA) != 0xAA) {
102*4882a593Smuzhiyun pr_info("%p was NOT written during init!?\n", ptr);
103*4882a593Smuzhiyun return;
104*4882a593Smuzhiyun }
105*4882a593Smuzhiyun
106*4882a593Smuzhiyun pr_info("attempting bad ro_after_init write at %px\n", ptr);
107*4882a593Smuzhiyun *ptr ^= 0xabcd1234;
108*4882a593Smuzhiyun pr_err("FAIL: survived bad write\n");
109*4882a593Smuzhiyun }
110*4882a593Smuzhiyun
lkdtm_WRITE_KERN(void)111*4882a593Smuzhiyun void lkdtm_WRITE_KERN(void)
112*4882a593Smuzhiyun {
113*4882a593Smuzhiyun size_t size;
114*4882a593Smuzhiyun volatile unsigned char *ptr;
115*4882a593Smuzhiyun
116*4882a593Smuzhiyun size = (unsigned long)do_overwritten - (unsigned long)do_nothing;
117*4882a593Smuzhiyun ptr = (unsigned char *)do_overwritten;
118*4882a593Smuzhiyun
119*4882a593Smuzhiyun pr_info("attempting bad %zu byte write at %px\n", size, ptr);
120*4882a593Smuzhiyun memcpy((void *)ptr, (unsigned char *)do_nothing, size);
121*4882a593Smuzhiyun flush_icache_range((unsigned long)ptr, (unsigned long)(ptr + size));
122*4882a593Smuzhiyun pr_err("FAIL: survived bad write\n");
123*4882a593Smuzhiyun
124*4882a593Smuzhiyun do_overwritten();
125*4882a593Smuzhiyun }
126*4882a593Smuzhiyun
lkdtm_EXEC_DATA(void)127*4882a593Smuzhiyun void lkdtm_EXEC_DATA(void)
128*4882a593Smuzhiyun {
129*4882a593Smuzhiyun execute_location(data_area, CODE_WRITE);
130*4882a593Smuzhiyun }
131*4882a593Smuzhiyun
lkdtm_EXEC_STACK(void)132*4882a593Smuzhiyun void lkdtm_EXEC_STACK(void)
133*4882a593Smuzhiyun {
134*4882a593Smuzhiyun u8 stack_area[EXEC_SIZE];
135*4882a593Smuzhiyun execute_location(stack_area, CODE_WRITE);
136*4882a593Smuzhiyun }
137*4882a593Smuzhiyun
lkdtm_EXEC_KMALLOC(void)138*4882a593Smuzhiyun void lkdtm_EXEC_KMALLOC(void)
139*4882a593Smuzhiyun {
140*4882a593Smuzhiyun u32 *kmalloc_area = kmalloc(EXEC_SIZE, GFP_KERNEL);
141*4882a593Smuzhiyun execute_location(kmalloc_area, CODE_WRITE);
142*4882a593Smuzhiyun kfree(kmalloc_area);
143*4882a593Smuzhiyun }
144*4882a593Smuzhiyun
lkdtm_EXEC_VMALLOC(void)145*4882a593Smuzhiyun void lkdtm_EXEC_VMALLOC(void)
146*4882a593Smuzhiyun {
147*4882a593Smuzhiyun u32 *vmalloc_area = vmalloc(EXEC_SIZE);
148*4882a593Smuzhiyun execute_location(vmalloc_area, CODE_WRITE);
149*4882a593Smuzhiyun vfree(vmalloc_area);
150*4882a593Smuzhiyun }
151*4882a593Smuzhiyun
lkdtm_EXEC_RODATA(void)152*4882a593Smuzhiyun void lkdtm_EXEC_RODATA(void)
153*4882a593Smuzhiyun {
154*4882a593Smuzhiyun execute_location(lkdtm_rodata_do_nothing, CODE_AS_IS);
155*4882a593Smuzhiyun }
156*4882a593Smuzhiyun
lkdtm_EXEC_USERSPACE(void)157*4882a593Smuzhiyun void lkdtm_EXEC_USERSPACE(void)
158*4882a593Smuzhiyun {
159*4882a593Smuzhiyun unsigned long user_addr;
160*4882a593Smuzhiyun
161*4882a593Smuzhiyun user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
162*4882a593Smuzhiyun PROT_READ | PROT_WRITE | PROT_EXEC,
163*4882a593Smuzhiyun MAP_ANONYMOUS | MAP_PRIVATE, 0);
164*4882a593Smuzhiyun if (user_addr >= TASK_SIZE) {
165*4882a593Smuzhiyun pr_warn("Failed to allocate user memory\n");
166*4882a593Smuzhiyun return;
167*4882a593Smuzhiyun }
168*4882a593Smuzhiyun execute_user_location((void *)user_addr);
169*4882a593Smuzhiyun vm_munmap(user_addr, PAGE_SIZE);
170*4882a593Smuzhiyun }
171*4882a593Smuzhiyun
lkdtm_EXEC_NULL(void)172*4882a593Smuzhiyun void lkdtm_EXEC_NULL(void)
173*4882a593Smuzhiyun {
174*4882a593Smuzhiyun execute_location(NULL, CODE_AS_IS);
175*4882a593Smuzhiyun }
176*4882a593Smuzhiyun
lkdtm_ACCESS_USERSPACE(void)177*4882a593Smuzhiyun void lkdtm_ACCESS_USERSPACE(void)
178*4882a593Smuzhiyun {
179*4882a593Smuzhiyun unsigned long user_addr, tmp = 0;
180*4882a593Smuzhiyun unsigned long *ptr;
181*4882a593Smuzhiyun
182*4882a593Smuzhiyun user_addr = vm_mmap(NULL, 0, PAGE_SIZE,
183*4882a593Smuzhiyun PROT_READ | PROT_WRITE | PROT_EXEC,
184*4882a593Smuzhiyun MAP_ANONYMOUS | MAP_PRIVATE, 0);
185*4882a593Smuzhiyun if (user_addr >= TASK_SIZE) {
186*4882a593Smuzhiyun pr_warn("Failed to allocate user memory\n");
187*4882a593Smuzhiyun return;
188*4882a593Smuzhiyun }
189*4882a593Smuzhiyun
190*4882a593Smuzhiyun if (copy_to_user((void __user *)user_addr, &tmp, sizeof(tmp))) {
191*4882a593Smuzhiyun pr_warn("copy_to_user failed\n");
192*4882a593Smuzhiyun vm_munmap(user_addr, PAGE_SIZE);
193*4882a593Smuzhiyun return;
194*4882a593Smuzhiyun }
195*4882a593Smuzhiyun
196*4882a593Smuzhiyun ptr = (unsigned long *)user_addr;
197*4882a593Smuzhiyun
198*4882a593Smuzhiyun pr_info("attempting bad read at %px\n", ptr);
199*4882a593Smuzhiyun tmp = *ptr;
200*4882a593Smuzhiyun tmp += 0xc0dec0de;
201*4882a593Smuzhiyun pr_err("FAIL: survived bad read\n");
202*4882a593Smuzhiyun
203*4882a593Smuzhiyun pr_info("attempting bad write at %px\n", ptr);
204*4882a593Smuzhiyun *ptr = tmp;
205*4882a593Smuzhiyun pr_err("FAIL: survived bad write\n");
206*4882a593Smuzhiyun
207*4882a593Smuzhiyun vm_munmap(user_addr, PAGE_SIZE);
208*4882a593Smuzhiyun }
209*4882a593Smuzhiyun
lkdtm_ACCESS_NULL(void)210*4882a593Smuzhiyun void lkdtm_ACCESS_NULL(void)
211*4882a593Smuzhiyun {
212*4882a593Smuzhiyun unsigned long tmp;
213*4882a593Smuzhiyun volatile unsigned long *ptr = (unsigned long *)NULL;
214*4882a593Smuzhiyun
215*4882a593Smuzhiyun pr_info("attempting bad read at %px\n", ptr);
216*4882a593Smuzhiyun tmp = *ptr;
217*4882a593Smuzhiyun tmp += 0xc0dec0de;
218*4882a593Smuzhiyun pr_err("FAIL: survived bad read\n");
219*4882a593Smuzhiyun
220*4882a593Smuzhiyun pr_info("attempting bad write at %px\n", ptr);
221*4882a593Smuzhiyun *ptr = tmp;
222*4882a593Smuzhiyun pr_err("FAIL: survived bad write\n");
223*4882a593Smuzhiyun }
224*4882a593Smuzhiyun
lkdtm_perms_init(void)225*4882a593Smuzhiyun void __init lkdtm_perms_init(void)
226*4882a593Smuzhiyun {
227*4882a593Smuzhiyun /* Make sure we can write to __ro_after_init values during __init */
228*4882a593Smuzhiyun ro_after_init |= 0xAA;
229*4882a593Smuzhiyun }
230